X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=web-conf;h=977c8cfb38166ec6099e56999502594eb159c50d;hb=26e797e8fd4117747ec1bf1246286fa6f6f402c6;hp=6b18b2e5c7ae2b63fb3f10d208cc4a4cec61af92;hpb=25c6d2d6bcf37d708fec0e529a88f035588c8b7d;p=basic-https-conf

diff --git a/web-conf b/web-conf
index 6b18b2e..977c8cf 100755
--- a/web-conf
+++ b/web-conf
@@ -154,6 +154,13 @@ if $ssl; then
     # cleanup the call to ourselves a short bit ago
     rm $se/$h.conf
   fi
+  # these scripts only run on renew, that is kinda dumb.
+  export RENEWED_LINEAGE=/etc/letsencrypt/live/$h
+  for script in /etc/letsencrypt/renewal-hooks/deploy/*; do
+    if [[ -x $script ]]; then
+      "$script"
+    fi
+  done
 fi
 
 
@@ -236,6 +243,19 @@ EOF
 
     if (( port == 443 )); then
       echo "$0: creating $redir_file"
+
+      # note, alternatively:
+      cat >/dev/null <<'EOF'
+#https://webmasters.stackexchange.com/questions/124635/apache-redirect-http-to-https-without-preventing-http
+<If "%{req:Upgrade-Insecure-Requests} == '1'">
+Redirect permanent "/" "https://mydomain.ltd/"
+</If>
+# or, with generic rewrite, we use this on gnu.org
+RewriteEngine on
+RewriteCond %{HTTP:Upgrade-Insecure-Requests} "^1$"
+RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=307]
+EOF
+
       cat >$redir_file <<EOF
 <VirtualHost *:80>
 ServerName $h
@@ -264,7 +284,7 @@ EOF
 # manually, Certbot will be unable to automatically provide future security
 # updates. Instead, Certbot will print and log an error message with a path to
 # the up-to-date file that you will need to refer to when manually updating
-# this file.
+# this file. Contents are based on https://ssl-config.mozilla.org
 
 SSLEngine on